Need advice about which tool to choose?Ask the StackShare community!
GitHub vs Snyk: What are the differences?
Key Differences between GitHub and Snyk
1. Integration with Development Workflow: GitHub is a web-based version control platform that enables developers to collaborate and manage their code. It provides a complete code development and management environment, allowing users to create repositories, collaborate on projects, and track changes made to the codebase. On the other hand, Snyk is primarily focused on security and vulnerability management. It integrates with the existing development workflow and provides automated security testing and monitoring to help developers identify and fix vulnerabilities in their code.
2. Scope and Purpose: GitHub is primarily used as a code repository and collaboration platform, allowing developers to work on code together and manage the versioning and history of their projects. It provides features like pull requests, issue tracking, and project management tools. Snyk, on the other hand, specifically focuses on identifying and fixing security vulnerabilities in software dependencies and container images. It provides automated vulnerability scanning, remediation advice, and developer-friendly workflows for fixing vulnerabilities.
3. Vulnerability Detection and Monitoring: GitHub provides basic vulnerability scanning through its Dependabot security alerts feature. It alerts developers about any known vulnerabilities in their project dependencies. However, Snyk provides more comprehensive vulnerability detection and monitoring capabilities. It offers advanced vulnerability databases and continuous monitoring for both open source and proprietary code. It can detect vulnerabilities not only in dependencies but also in container images, giving developers a more complete view of potential security threats.
4. Remediation Advice and Fixes: When a vulnerability is detected, GitHub provides information about the affected dependency and suggests possible solutions or fixes through its security alerts. However, Snyk goes a step further by providing extensive remediation advice and fixes. It offers actionable recommendations on how to remediate vulnerabilities, including code changes and version upgrades. Snyk also provides pull requests and automated fixes for certain vulnerabilities, making it easier for developers to apply the necessary patches.
5. Developer-Focused Workflow: GitHub provides a developer-friendly workflow with features like pull requests, code review tools, and project management functionalities. It is designed to facilitate collaboration and code contribution among developers. Snyk, on the other hand, focuses on providing developers with a streamlined and integrated security workflow. It integrates with popular development tools and CI/CD pipelines, enabling developers to easily incorporate security testing and remediation into their existing processes.
6. Open Source and Pricing: GitHub offers free hosting for public repositories and a range of paid plans for private repositories. It also provides free access to its basic security features, including vulnerability alerts. Snyk offers a free tier for open source projects, allowing developers to scan and monitor vulnerabilities in their open source dependencies. However, for private repositories and additional features like detailed vulnerability reports and fix PRs, Snyk offers different pricing tiers.
In Summary, GitHub provides a comprehensive code development and management platform, while Snyk focuses specifically on vulnerability detection, monitoring, and remediation in software dependencies and container images.
I'm beginning to research the right way to better integrate how we achieve SCA / shift-left / SecureDevOps / secure software supply chain. If you use or have evaluated WhiteSource, Snyk, Sonatype Nexus, SonarQube or similar, I would very much appreciate your perspective on strengths and weaknesses and how you selected your ultimate solution. I want to integrate with GitLab CI.
I'd recommend Snyk since it provides an IDE extension for Developers, SAST, auto PR security fixes, container, IaC and includes open source scanning as well. I like their scoring method as well for better prioritization. I was able to remove most of the containers and cli tools I had in my pipelines since Snyk covers secrets, vulns, security and some code cleaning. SAST has false positives but the scoring helps. Also had to spend time putting some training docs but their engineers helped out with content.
Do you review your Pull/Merge Request before assigning Reviewers?
If you work in a team opening a Pull Request (or Merge Request) looks appropriate. However, have you ever thought about opening a Pull/Merge Request when working by yourself? Here's a checklist of things you can review in your own:
- Pick the correct target branch
- Make Drafts explicit
- Name things properly
- Ask help for tools
- Remove the noise
- Fetch necessary data
- Understand Mergeability
- Pass the message
- Add screenshots
- Be found in the future
- Comment inline in your changes
Read the blog post for more detailed explanation for each item :D
What else do you review before asking for code review?
Using an inclusive language is crucial for fostering a diverse culture. Git has changed the naming conventions to be more language-inclusive, and so you should change. Our development tools, like GitHub and GitLab, already supports the change.
SourceLevel deals very nicely with repositories that changed the master branch to a more appropriate word. Besides, you can use the grep linter the look for exclusive terms contained in the source code.
As the inclusive language gap may happen in other aspects of our lives, have you already thought about them?
One of the magic tricks git performs is the ability to rewrite log history. You can do it in many ways, but git rebase -i is the one I most use. With this command, It’s possible to switch commits order, remove a commit, squash two or more commits, or edit, for instance.
It’s particularly useful to run it before opening a pull request. It allows developers to “clean up” the mess and organize commits before submitting to review. If you follow the practice 3 and 4, then the list of commits should look very similar to a task list. It should reveal the rationale you had, telling the story of how you end up with that final code.
Out of most of the VCS solutions out there, we found Gitlab was the most feature complete with a free community edition. Their DevSecops offering is also a very robust solution. Gitlab CI/CD was quite easy to setup and the direct integration with your VCS + CI/CD is also a bonus. Out of the box integration with major cloud providers, alerting through instant messages etc. are all extremely convenient. We push our CI/CD updates to MS Teams.
Gitlab as A LOT of features that GitHub and Azure DevOps are missing. Even if both GH and Azure are backed by Microsoft, GitLab being open source has a faster upgrade rate and the hosted by gitlab.com solution seems more appealing than anything else! Quick win: the UI is way better and the Pipeline is way easier to setup on GitLab!
At DeployPlace we use self-hosted GitLab, we have chosen GitLab as most of us are familiar with it. We are happy with all features GitLab provides, I can’t imagine our life without integrated GitLab CI. Another important feature for us is integrated code review tool, we use it every day, we use merge requests, code reviews, branching. To be honest, most of us have GitHub accounts as well, we like to contribute in open source, and we want to be a part of the tech community, but lack of solutions from GitHub in the area of CI doesn’t let us chose it for our projects.
Pros of GitHub
- Open source friendly1.8K
- Easy source control1.5K
- Nice UI1.3K
- Great for team collaboration1.1K
- Easy setup867
- Issue tracker504
- Great community487
- Remote team collaboration483
- Great way to share449
- Pull request and features planning442
- Just works147
- Integrated in many tools132
- Free Public Repos122
- Github Gists116
- Github pages113
- Easy to find repos83
- Open source62
- Easy to find projects60
- It's free60
- Network effect56
- Extensive API49
- Organizations43
- Branching42
- Developer Profiles34
- Git Powered Wikis32
- Great for collaboration30
- It's fun24
- Clean interface and good integrations23
- Community SDK involvement22
- Learn from others source code20
- Because: Git16
- It integrates directly with Azure14
- Standard in Open Source collab10
- Newsfeed10
- Fast8
- Beautiful user experience8
- It integrates directly with Hipchat8
- Easy to discover new code libraries7
- Smooth integration6
- Integrations6
- Graphs6
- Nice API6
- It's awesome6
- Cloud SCM6
- Quick Onboarding5
- Remarkable uptime5
- CI Integration5
- Reliable5
- Hands down best online Git service available5
- Version Control4
- Unlimited Public Repos at no cost4
- Simple but powerful4
- Loved by developers4
- Free HTML hosting4
- Uses GIT4
- Security options4
- Easy to use and collaborate with others4
- Easy deployment via SSH3
- Ci3
- IAM3
- Nice to use3
- Easy and efficient maintainance of the projects2
- Beautiful2
- Self Hosted2
- Issues tracker2
- Easy source control and everything is backed up2
- Never dethroned2
- All in one development service2
- Good tools support2
- Free HTML hostings2
- IAM integration2
- Very Easy to Use2
- Easy to use2
- Leads the copycats2
- Free private repos2
- Profound1
- Dasf1
Pros of Snyk
- Github Integration10
- Free for open source projects5
- Finds lots of real vulnerabilities4
- Easy to deployed1
Sign up to add or upvote prosMake informed product decisions
Cons of GitHub
- Owned by micrcosoft55
- Expensive for lone developers that want private repos38
- Relatively slow product/feature release cadence15
- API scoping could be better10
- Only 3 collaborators for private repos9
- Limited featureset for issue management4
- Does not have a graph for showing history like git lens3
- GitHub Packages does not support SNAPSHOT versions2
- No multilingual interface1
- Takes a long time to commit1
- Expensive1
Cons of Snyk
- Does not integrated with SonarQube2
- No malware detection1
- No surface monitoring1
- Complex UI1
- False positives1
Sign up to add or upvote consMake informed product decisions
What is GitHub?
What is Snyk?
Need advice about which tool to choose?Ask the StackShare community!
What companies use Snyk?
Sign up to get full access to all the companiesMake informed product decisions
What tools integrate with GitHub?
What tools integrate with Snyk?
Sign up to get full access to all the tool integrationsMake informed product decisions
Blog Posts
+11
+3
+7
+2
+12
+17+32
+12